Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
After witnessing state-sponsored threat actors targeting a slew of security vendors, we’re now learning about an even more brazen campaign… An elaborate state-sponsored social engineering attack targeting prominent security researchers and probably involving a Chrome zero-day exploit.
Other noteworthy news this week include three Apple iOS zero-days, critical SAP and RDP bugs all being exploited in-the-wild, plus a newly discovered 10-year old security vulnerability in Sudo impacting most Unix and Linux-bases systems.
Notable Security News
Google TAG identified an elaborate social engineering campaign attributed to North Korea targeting security researchers. To establish credibility, the attackers created a technical blog containing write-ups of public vulnerabilities and used fake social media personas (e.g. ‘James Willy’, ‘Zhang Guo’, and ‘Billy Brown’…). They contacted well-known researchers via social media or email and offered to collaborate on vulnerability research. Then they sent researchers a malware-laced Visual Studio Project to take control of their machine.
A second attack vector was the attackers’ fake blog. It had malicious code that infected the victims systems just by visiting it. Since some of the victims had a fully patched Chrome browser, it seems to indicate that Chrome zero-days were probably used.
The campaign was also noticed by Microsoft who tracks the same threat actors as ZINC and shared a technical blog post confirming Google’s findings.
Security reseearchers from Qualys discovered a critical privilege escalation flaw in Sudo. CVE-2021-3156, nicknamed “Baron Samedit” (a contraction of Baron Samedi and sudoedit) is a heap overflow bug that allows any unprivileged user to gain root privileges and take over the system. It affects all Sudo versions released in the past ten years and most Unix and Linux-based operating systems. Patching as soon as possible is recommended considering that we’ll likely soon see public exploits and in-the-wild exploitation.
CVE-2020-6207 is a Missing Authentication Check vulnerability in SAP Solution Manager that was made public last year. It allows unauthenticated remote attackers to take over vulnerable systems with admin privileges. Onapsis Research Labs who intially discovered the bug is warning against attackers who are currently actively scanning for it and shared recommendations to secure SAP systems against this.
Microsoft Remote Desktop Protocol (RDP) is intended to provide authenticated remote access to Windows workstations and servers. Netscout found out that RDP services configured to run on UDP port 3389 can be abused to amplify Distributed Denial of Service (DDoS) attacks. This has been weaponized and is exploited by DDoS-for-hire services. The attack can be mitigated either by disabling UDP access or putting RDP servers behind a VPN.
Apple fixed three new iOS zero-days exploited in the wild. One affects the operating system kernel and allows for privilege escalation, the other two hit the WebKit and make remote arbitrary code execution possible. Apple is yet to disclose more details. In the meantime, iOS users should keep their devices updated.
Other Interesting News
- Domain for popular programming website Perl.com stolen in ‘hack’
- SonicWall Investigating Zero-Day Attacks Against Its Products
- Four security vendors disclose SolarWinds-related incidents
- FSB warns of US cyberattacks after Biden administration comments
- New cybercrime tool can build phishing pages in real-time
- Even dead employees pose a security risk when their accounts are still active
- Former LulzSec Hacker Releases VPN Exploit Used to Hack Hacking Team
- Blind TCP/IP hijacking is resurrected for Windows 7
- KindleDrip: Critical vulnerabilities in Amazon Kindle e-reader gave attackers free rein over user accounts
- Buzzy New Social Media Site Pillowfort Is Riddled With Basic Bugs
- South African government releases its own browser just to re-enable Flash support
- Deactivation of Flash may have crippled Chinese railroad for a day [Updated]
- KEMTLS: Cloudflare trials new encryption mechanism in anticipation of post-quantum TLS shortcomings
- Chrome and Edge want to help with that password problem of yours
- Nmap project becomes latest victim of Google’s ‘wrongful blocking’ of cybersecurity resources
- Command ‘n’ control botnet of notorious Emotet Windows ransomware shut down in multinational police raid
- Stack Overflow: Here’s what happened when we were hacked back in 2019